HIPAA Keeping Patient Information Private HIPAA is……. A Federal law called the Health Insurance Portability and Accountability Act of 1996 One part of HIPAA is the Privacy Rule The main purpose of the HIPAA Privacy Rule is to provide better protections for patients’ protected health information (PHI). PROTECTED HEALTH INFORMATION (PHI) Covers patient information in any form -- written, verbal, or electronic PHI Includes: Any information that can be used to identify the patient, for example, name, address, social security number, medical record number, telephone number, patient account number Anything about the patient’s medical conditions and treatment – past, present, or possible Billing and payment records Before You Access Patient Information, Ask Yourself 1. Is the patient information I am about to access necessary for me to complete my job? 2. Am I accessing only the minimum necessary to complete my job, no more and no less? 3. Am I accessing, using, or disclosing this information for treatment, payment, or health care operations reasons? 4. If I am accessing, using, or disclosing this information, should I have a signed authorization from the patient? When is it Okay to Share PHI? Share only the minimum amount of PHI necessary to fulfill the job responsibility Share PHI only with those with a clinical or business need to know Share only the amount of PHI requested. The entire medical record may not be needed. Examples of Minimum Necessary A billing clerk may need to know what laboratory test was done, but not the result An admissions clerk does not need to have access to the full medical record in order to carry out his/her job A patient transporter typically does not need to access the full medical record to do his/her job Snooping and Casual Disregard…our Greatest Risk Accessing the medical records of family members, friends, ex-spouses, neighbors, celebrities, etc. Failure to verify the authority of the individual receiving the PHI Improper use of technology such as camera phones, texting, and social networking sites Employees exceeding their scope of job duty Are You a Criminal? Choosing not to comply with HIPAA could result in civil and criminal penalties, including going to jail If you obtain or disclose PHI without proper authority, you may face a fine of up to $50,000 and up to one year of jail time If you obtain PHI with the intent to sell it, give it to someone else, or for malicious reasons, you could receive a $250,000 fine and up to 10 years in jail What is the Difference Between Use and Disclosure of PHI? USE is sharing PHI within the facility DISCLOSURE is sharing PHI outside of the facility What is a Breach Breach means the unauthorized acquisition, access, use, or disclosure of PHI maintained by or on behalf of a person. A breach does not include any unintentional acquisition, access, use or disclosure made in good faith and done within the course and scope of your job. And, provided such information is not further acquired, accessed, used or disclosed. In other words, just looking up someone’s PHI, even if you don’t print it or tell someone else, is a breach – and you will be subject to disciplinary action up to and including termination. Incidental Uses & Disclosures An incidental use or disclosure is not a violation of HIPAA provided the facility has applied reasonable safeguards and implemented the minimum necessary standard. Examples of incidental uses and disclosures: Discussions during teaching rounds Calling out a patient’s name in the waiting room Sign in sheets in hospitals and clinics containing the minimum information necessary Protecting Patient Privacy DO: Close curtains and speak softly when discussing treatments in semi-private rooms Log off of the computer when not attended Dispose of patient information in accordance with hospital policy and procedure Clear patient information off of your desk and place in a secure location when not in use Verify fax numbers and addresses before sending PHI Protecting Patient Privacy DON’T: Discuss a patient in public areas such as elevators, hallways or cafeterias or outside the facility or office Share your computer username, ID, or password Look at information about a patient unless you need it to do your job Take information about patients (including nursing report notes) home Discuss patient information in front of visitors without the explicit, documented authorization of the patient Post any patient related information in church bulletins, Facebook, MySpace, or any other social networking websites Bring friends or family into areas of the facility, clinic, or agency where they can see or hear patients receiving care or where they might have access to PHI Sharing PHI with Family & Friends The patient must be given the opportunity to agree, restrict, or object to providing PHI to family members, friends or others identified by the patient as involved in the patient’s care or payment for health care Document the patient’s decision Use professional judgment to determine if disclosing PHI would be in the patient’s best interest if the patient is unable to agree or object Areas of Concern Friends/family/self – when you are seeking information on your family, friends or yourself, you are not acting as an employee and you must access PHI using the procedures required for non-employees. This means you need a written authorization for release of information which can be obtained in HIM You are not permitted to access your own medical records Areas of Concern Employees as patients – information available to the facility as a healthcare provider is not generally available to it in the role of an employer. For example, if an employee comes into the ED – his/her supervisor or co-workers should not be accessing his/her ED information. This can be a challenging area: call the Facility Privacy Officer if questions arise. Areas of Concern Before PHI is removed from a facility for business purposes by any means, electronic or hard copy – the following questions must be answered: 1. Does it need to go outside the facility? 2. If so, are reasonable safeguards in place to protect the data from breach during transmission? Examples of HIPAA Potential Violations Text messaging medical information about a patient to anyone! An employee passing on information to her son about his spouse or their children Allowing a former employee, friends, family or co-workers into off-limits areas where PHI is located – this includes children Taking pictures of patients with a cell phone camera Examples of HIPAA Potential Violations Releasing information to a caller who is not properly identified as being authorized to receive information Mailing/faxing PHI to the wrong person Looking at the PHI of a co-worker, supervisor, family, friends, or self for non-work reasons Posting information about a patient or specific information about a day at your workplace on a social networking site such as Facebook No Excuses Good intentions such as “I needed to let his mother know he was in the hospital,” or, “She is my best friend and she wouldn’t mind me looking,” do not count. Just plain nosiness is NO excuse. Reporting Suspected Violations of our Privacy Policies Suspected HIPAA violations should be reported to: Your Supervisor The Facility Privacy Office The Corporate Compliance and Privacy Officer The Confidential Disclosure Program Hotline may also be used by calling 1-800-495-9510 Non-retaliation CHS POLICY AND STATE AND FEDERAL LAWS PROVIDE PROTECTION FROM RETRIBUTION OR RETALIATION AGAINST ANY PERSON FOR REPORTING ACTUAL OR SUSPECTED VIOLATIONS. COMPLIANCE IS NOT AN OPTION- COMPLIANCE IS MANDATORY UNDER HIPAA Compliance with HIPAA is part of our culture. Compliance with HIPAA is part of your job responsibilities. Noncompliance may result in disciplinary action up to and including termination. Noncompliance may also result in civil and/or criminal penalties. This Facility Protects Patient Privacy by… Assigning a Facility Privacy Officer (INSERT NAME & NUMBER) Having written policies and procedures to help employees understand the privacy rules Providing this privacy training to the workforce Putting in place ways to protect health information from being misused Having a way for patients and others to file complaints Providing discipline for employees who don’t follow the privacy practices What is the Notice of Privacy Practices? The Notice of Privacy Practices (sometimes referred to as the NPP) is: An explanation to our patients of how their personal PHI is used and disclosed The start of a dialogue with our patients regarding the purpose of the uses of information An explanation of the patient’s rights as defined by the HIPAA Privacy Regulations The Notice of Privacy Practices is: Available in a paper copy On the facility web site Posted in facility Disclosures with Authorization A valid Authorization is required for certain disclosures to: Attorneys Schools Others Applies to situations where use falls outside of treatment, payment and healthcare operations and for which there is no exception for the authorization requirement Only certain staff members are permitted to accept and act upon patient authorizations Disclosures Not Requiring Patient Authorization Required by Federal or state law Workers compensation Birth reporting Child abuse or domestic violence reporting Required for public health reasons Sexually transmitted diseases FDA-regulated products Required for national security reasons Prevent a serious threat of harm to the individual or others If in doubt, check with the Facility Privacy Officer before disclosing the information. Facility Directory Disclosures The patient must be given the opportunity to opt-out from the directory Unless the patient objects, the following PHI may be included in the facility directory and given to those individuals who inquire about the patient by name: Name Location within the facility Condition of the patient in general terms (e.g., good, critical, serious) Only members of the clergy may have access to the religious affiliation of the patient, if provided If the patient has opted out of the patient directory no information may be discussed – simply say, “I have no information on that person”. Patient Rights Under the HIPAA Privacy Regulations, patients have the right to: Receive the Notice of Privacy Practices Inspect and request a copy of their PHI Know to whom their information is being disclosed in certain situations Request restrictions on use and disclosure of their PHI Request an amendment to their PHI Request confidential communications of their PHI Case Study While working on the fourth floor, Sally Housekeeper noticed that her neighbor Penny Patient was walking down the hall in a hospital gown and pushing an IV pole. When she went home later that day, she told her husband that she saw their neighbor on the cancer unit. Is this a HIPAA Violation? Why? Case Study Penny Patient is waiting in the outpatient clinic. Nurse Jones enters the waiting room and calls out, “Penny Patient.” While still in the waiting room, Nurse Jones asks Penny Patient, “Have you been taking your Prozac for your depression?” Is this a HIPAA Violation? Why? Case Study Nurse Jane sees an employee looking through the medical records to find out medical information about another employee who is a patient in the facility, but Nurse Jane is not one of the caregivers for the patient. What should Nurse Jane do? How do I begin…..? Become privacy focused Know and follow the HIPAA Privacy Policies and our facility’s privacy procedures Understand the importance of privacy to our organization and our patients – and to keep yourself safe from civil or criminal prosecution Be sensitive to the patient’s privacy needs and rights Keep patient information as private as you would want your own information kept To recap……… The facility is committed to and serious about patient privacy All complaints regarding patient privacy will be taken seriously The facility will investigate all privacy complaints Employees who violate the HIPAA Privacy Policies or any privacy practices and procedures will be subject to disciplinary actions which could include verbal or written warnings, suspension from duties, or termination Retaliation against any person for reporting actual or suspected violations will not be tolerated What can happen if I violate CHS Policy or break the law? Under recent changes in the law, state and federal authorities may now hold workforce members individually responsible for their actions! Fines ranging from $50,000 per violation to as much as $250,000 Criminal prosecution and up to 10 years in jail may occur depending on the type of violation Civil suits by state Attorneys General against the facility Violation of CHS policy will result in appropriate disciplinary action up to and including termination Notable Enforcement Action… Fernando Ferrer, Jr. and Isis Machado Machado, an employee at Cleveland Clinic uses her computer access to obtain PHI which was then sold to her cousin – Fernando Ferrer. Ferror used the stolen PHI to submit fraudulent claims in excess of $7 Million. Charged with 1. Computer Fraud 2. Conspiracy to commit identity theft 3. Conspiracy to wrongfully disclose IHHI (HIPAA) Ferrer – 87 months prison, 3 yrs supervised release, restitution $2,505,883.43. Machado – 3 yrs prison, 6 months home confinement, same restitution. A Case of Identity Theft…NOT! Trumann, Northeast Arkansas: After entering a guilty plea to a criminal HIPAA violation, a nurse faces up to 10 years in prison and a possible fine of $250,000.00! This was not a case of identity theft or stolen financial information… The information was reportedly disclosed to her husband, who threatened to use the information against the patient in an upcoming legal proceeding! “Octomom” Kaiser Permanente Bellflower Medical Center was fined $250,000 for failing to keep workers from peeking at “octomom” Nadya Suleman’s electronic health records 23 unauthorized staff and physicians accessed the records, including some at other Kaiser facilities. 1 person was fired, 14 others resigned and 8 were disciplined Sentenced to Prison A 22-year old woman was sentenced to a year in prison for illegally accessing another woman’s medical records at her place of employment and then posting on a MySpace page that the other woman had HIV. FINAL THOUGHTS Confidentiality and protecting PHI is everyone’s job. Privacy Matters. Don’t discuss protected healthcare information in public or with those who do not need to know. Don’t get casual about privacy and confidentiality. Remember…. It could be your health information that someone is talking about. Questions?
Pages to are hidden for
"HIPAA SENSE IS COMMON SENSE"Please download to view full document